OWASP H2H Tool Project

Main
FAQs
Acknowledgements
Road Map and Getting Involved
Project About

OWASP H2H Tool Project

H2H is an opensource project allowing to detect all entry points of web applications developped in Java. Entry point and EndPoint are defined and explained in these articles : https://digitalguardian.com/resources/data-security-knowledge-base/endpoint-detection-and-response-edr and Gartner http://www.gartner.com/technology/reprints.do?id=1-26F1285&ct=141223&st=sb. From our point of view most web applications written in Java are made of spaghetti code and use more and more complex frameworks. H2H aims at making easier the job of detect vulnerabilities of Web applications written in Java by showing them all endpoints. That means focusing on the code, written by the project's developpers, that answers to requests (http requests, RMI calls, etc.) We could have made a list of all servlets, filters or listeners but, with frameworks such as Spring or JSF, granularity is not enough. That's because these frameworks expose their own component (servlet/listener) first, then dispatch the request (according to the uri or a context) to the code developped by the project. H2H analyze all the most used/frequent frameworks to get all the endpoints.

Notre objectif est de trouver 100% des points d'entrée pour améliorer la couverture de test lors des Pentest ou des audits de sécurité. Our purpose is to find 100% endpoints to improve the coverage of test during Pentests or security audit.

Description

H2H is a java agent which realizes several tasks :

H2H scan the entire application and all frameworks to list all endpoints. Here is the list of components analyzed by H2H (framework)

It is possible to activate a sensor in H2H that monitore each endpoint. For example, this monitoring allows during a Pentest to know if all scenarios have all been through all endpoints.

It is possible to activate a sensor in H2H that monitore each endpoint's performance

Visualization of entry points can be done via a new url added by H2H or by the application H2H-Web Vizualisation Project

The project is composed of 2 sub-projects : the Core : Agent for Java project and the web : interface for user-friendly.

Licensing

H2H is a open source project with licence Apache 2.

This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. OWASP XXX and any contributions are Copyright © by {the Project Leader(s) or OWASP} {Year(s)}.

Project Resources

Main Page

Core Project

Vizualisation Project

Documentation

Issue Tracker

Project Leader

Damien Kerbart
Jean-Louis Boudart
Guillaume Dufour
Nicolas Poirier

Classifications

News and Events

[12 Aout 2015] First Release

Coming soon

How can I participate in your project?

Fork our repository Github and Pull request !

== Installation

For core : https://github.com/highway-to-urhell/highway-to-urhell/blob/master/README.md

For Web-Project : https://github.com/highway-to-urhell/highway-to-urhell-web/wiki

Contributors

The first contributors to the project were:

[Jean-Louis Boudart]
[Damien Kerbart]
[Guillaume Dufour]
[Nicolas Poirier]

Add Performance Counter for next Release
Add export configuration for Apache, F5, Nginx

PROJECT INFO
What does this OWASP project offer you?

RELEASE(S) INFO
What releases are available for this project?

what	is this project?
Name: N/A
Purpose: N/A
License: N/A
who	is working on this project?
Project Leader(s): N/A
how	can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: N/A
Project Roadmap: Not Yet Created
Key Contacts
Contact the GPC to contribute to this project Contact the GPC to review or sponsor this project

current release

pending
last reviewed release
pending

other releases

OWASP H2H Tool Project